v2.3.0

What's New in v2.3.0

🔒 Security

• S3 upload validation: Server-side contentType whitelist (only image formats) and file size limit
• LIKE injection prevention: Escape SQL wildcards in photo search input
• Visibility enforcement: Public pages now only return photos with visibility: "public"
• Protected procedures: photos.getOne and photos.getMany restricted to authenticated users

⚡ Improvements

• Database transactions: photos.create and photos.remove wrapped in transactions for data consistency
• Environment validation: Zod-based server env validation — app fails fast with clear errors on missing config
• DB connection pool caching: Prevent connection leaks during Next.js HMR in development
• ctx.db migration: All tRPC routers now use ctx.db instead of direct imports (better testability)
• updatedAt timestamps: Photo updates now correctly refresh the updatedAt field
• Error handling: photos.remove re-throws TRPCError to preserve original error codes

🐳 Docker

• Added .dockerignore: Smaller build context, faster builds
• Externalized secrets: docker-compose.yml now uses ${VAR:-default} syntax, overridable via .env

🧪 Testing

• Vitest setup: Test framework with mocks for React cache, next/headers, S3 client, auth session
• 16 photo procedure tests: Full coverage of create, update, getOne, getMany, remove including edge cases